From 690712428a65199a829727eca6c5c3ec2dd24632 Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Fri, 3 Nov 2023 17:18:09 +0100 Subject: [PATCH] squash! Add actors for OpenSSL conf and IBMCA * switch the severity for openssl config file to HIGH as per openssl team the system could be uneccessible in some cases * updated report msg for IBMCA; rhel 9+ uses "openssl providers" instead of engines, so keep proper wording. * also groups have been updated --- .../libraries/checkopensslconf.py | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/repos/system_upgrade/common/actors/openssl/checkopensslconf/libraries/checkopensslconf.py b/repos/system_upgrade/common/actors/openssl/checkopensslconf/libraries/checkopensslconf.py index 1bdcb64bb5..c56bf55fe4 100644 --- a/repos/system_upgrade/common/actors/openssl/checkopensslconf/libraries/checkopensslconf.py +++ b/repos/system_upgrade/common/actors/openssl/checkopensslconf/libraries/checkopensslconf.py @@ -13,32 +13,32 @@ def check_ibmca(): return if not has_package(InstalledRedHatSignedRPM, 'openssl-ibmca'): return - # TODO(pstodulk): check with @ksrot whether this is relevant for IPU 8 -> 9 also - # (orig msg was for IPU 7 -> 8 only); engine vs provider? - # https://www.ibm.com/docs/en/linux-on-z?topic=openssl-using-ibmca-provider + # In RHEL 9 has been introduced new technology: openssl provides. The engine + # is deprecated, so keep proper teminology to not confuse users. + dst_tech = 'engine' if version.get_target_major_version() == '8' else 'provides' summary = ( 'The presence of openssl-ibmca package suggests that the system may be configured' ' to use the IBMCA OpenSSL engine.' ' Due to major changes in OpenSSL and libica between RHEL {old} and RHEL {new} it is not' ' possible to migrate OpenSSL configuration files automatically. Therefore,' - ' it is necessary to enable IBMCA engine in the OpenSSL config file manually' + ' it is necessary to enable IBMCA {tech} in the OpenSSL config file manually' ' after the system upgrade.' .format( old=version.get_source_major_version(), - new=version.get_target_major_version() + new=version.get_target_major_version(), + tech=dst_tech ) ) hint = ( - 'Configure the IBMCA engine manually after the upgrade.' + 'Configure the IBMCA {tech} manually after the upgrade.' ' Please, be aware that it is not recommended to configure the system default' ' /etc/pki/tls/openssl.cnf. Instead, it is recommended to configure a copy of' ' that file and used this copy only for particular applications that are supposed' - ' to utilize the IBMCA engine. The location of the OpenSSL configuration file' + ' to utilize the IBMCA {tech}. The location of the OpenSSL configuration file' ' can be specified using the OPENSSL_CONF environment variable.' + .format(tech=dst_tech) ) - # TODO(pstodulk): is there a doc? - # TODO(pstodulk): encryption, security groups? reporting.create_report([ reporting.Title('Detected possible use of IBMCA in OpenSSL'), @@ -47,8 +47,7 @@ def check_ibmca(): reporting.Severity(reporting.Severity.MEDIUM), reporting.Groups([ reporting.Groups.POST, - reporting.Groups.SECURITY, - reporting.Groups.SERVICES + reporting.Groups.ENCRYPTION ]), ]) @@ -80,7 +79,7 @@ def check_default_openssl(): reporting.Title('The /etc/pki/tls/openssl.cnf file will be replaced by the target RHEL default.'), reporting.Summary(summary), reporting.Remediation(hint=hint), - reporting.Severity(reporting.Severity.MEDIUM), + reporting.Severity(reporting.Severity.HIGH), reporting.Groups([reporting.Groups.POST, reporting.Groups.SECURITY]), ])